it is faster and more efficient since it doesn’t have OSI Model A P S T N D P acknowledgements. Upper layers7, 6, 5 don’t deal with data delivery, provide standardization of how applications share data and communicate with one another. 7. Application – Doesn’t provide services to the other layers, but Routing Protocols it does communicate with user applications and selects the Distance Vector Routing - Routing protocols that send appropriate network application for those applications. their routing tables to their neighbors; uses the distance to 6. Presentation - Data representation, encryption, and a remote network to find the best path (RIP and IGRP) compression. Supports different protocols for text, data, Counting to Infinity - Distance vector routing error that sound, graphics, and images. (ASCII, EBCDIC, MIDI, MPEG,
can be remedied by Maximum Hop Count, Split GIF, JPEG, PICT, TIFF)
5. Session – Establishes, manages and terminates sessions Horizons, Route Poisoning, and Hold-Down timers. between apps. A session is a dialog between Presentation Link State Routing - Sends the state of its own interfaces layers of two or more systems. Protocols include NFS, SQL, to every router in the network; determines the entire ASP, and RPC. network topology, then uses SPF (Shortest Path First) Middle provides end-to-end data transportation services to the upper algorithm to find best route. (OSPF,EIGRP(hybrid DV+LS)) layers Link State routing problems - Router resource usage, 4. Transport- Performs flow control by buffering, multiplexing, bandwidth consumption, and update synchronization. and parallelization. Provides end-to-end services by Solutions - Lengthening the update frequency, segmenting upper layers, establishing end-to-end connection,
sending segments, and ensuring reliable data transport. Data exchanging route summaries, using time stamps, or Unit is Segments. using sequence numbers can remedy the problems. Lower 3. Network – Determines the best path from one network to Routing Problems: another (path determination), packet switching, also known Convergence – Time it takes all routers to receive an as the domain of routing. Routers work at this layer. Uses update and agree on optimal routes through the routing protocols (RIP, OSPF), and routed protocols (IP, IPX) internetwork. to provide logical addresses. Data Unit is Packets Routing Loops - When two or more routers have not yet 2. Data Link - Made up of the LLC and MAC sublayers. converged and are broadcasting inaccurate routes. Bridges/switches work at this layer. Allows upper layers to work independently of the physical media. Performs physical Routing Problems’ Solutions: hardware addressing, Optional flow control, and error
notification. LLC (Logical Link Control) is where framing Hold-downs - Prevent regular update messages from occurs by the IEEE standards. MAC sublayer deals with reinstating a route that is down. hardware functions and maintains the physical address (48 Route Poisoning - If a router's connected network goes bits, burned onto card by manufacturer) of the network card down, it sets its hop count to the maximum amount to going into each host or gateway. Data Unit is Frames. make the network unreachable. 1. Physical - Where signals are converted to bits for transport Split Horizons - Specify that a router can't send across a LAN. Mechanical and electrical functions of the OSI information about a route out the interface they originated model. Communicate with peer layers regarding activating, from. maintaining, and deactivating a circuit. Data Unit is Bits. Maximum Hop Count - DV (RIP) permits hot count of up
to 15. So a packet that is caught in a routing loop will only Devices at the OSI Layers thtravel 15 hops, on the 16 the network is deemed Device Layer Data Unit unreachable and the packet is discarded. Router Network Packets Bridge Data Link Frames Configuring Routing Protocols Switch Data Link Frames Configuring Static Routes Hubs Physical Bits Syntax: ip route [dest] [mask] [next_hop | exit_int] 5 Steps of data encapsulation: Example: 1. User information is converted to data (App – Session) R_3(config)#ip route 192.168.1.0 255.255.255.0 serial0 2. Data is converted to segments (Transport) Configuring RIP (Routing Information Protocol): 3. Segments are converted to packets (Network) Syntax: Router(config)#router rip 4. Packets are converted to frames (Data Link) Router(config-router)#network <network #> 5. Frames are converted to bits (Physical) Example: Router(config)#router rip Connection Oriented vs. Connectionless (Transport) Router(config-router)#network 10.0.0.0 Connection Oriented requires a unique session or pipe to Router(config-router)#network 192.168.1.0 be established (TCP). Setup and maintenance procedures Configuring IGRP (Interior Gateway Routing Protocol) are performed to ensure delivery of messages. Establishes Syntax: Router(config)#router igrp <autonomous system #> a Virtual Connection between the two devices. Router(config-router)#network <network #> Connectionless can be sent any time to any destination Example: without any setup or acknowledgement (UDP). It is up to Router(config)#router igrp 200 the application to determine if the data gets to the Router(config-router)#network 10.128.22.0 destination, instead of the protocols. The advantage is that Router(config-router)#network 192.168.1.0
- 1 -
debug ipx routing Displays messages relating to IPX Checking Router Status Commands activity routing activity.
debug ipx routing Displays messages relating to IPX Basic Router Operations events routing events. enable | disable Enter privileged mode | exit to usr debug ipx sap Debug IPX sap packets Ctrl+P Previous command Backup Configurations Ctrl+N Next command copy run start Copy current config to NVRAM Ctrl+A Move to beginning of the line copy start run Copy config from NVRAM to RAM Ctrl+E Move to the end of the line copy run tftp Copy config to TFTP server Ctrl+F Forward one character copy tftp run Restore config from Server Ctrl+B Back one character copy flash tftp Backup IOS to TFTP server Esc+B Moves back one word at a time copy tftp flash Restore IOS from TFTP server Esc+A Moves forward one word at a time boot system flash Tells router which IOS file in flash <shift>+<ctrl>+6 X Shift between telnet sessions [filename] to boot. <tab> Completes commands boot system tftp Tells router which IOS file to Viewing Router Information [filename] request from tftp server show version IOS Version Information Set Passwords (Global Config Mode) show memory Memory statistics. line con 0 -Selects Console line aux 0 -Selects Auxiliary show protocols Active network routing protocols. line vty 0 4 -Selects Telnet show running-config Current config in RAM. login -Allows logins and show startup-config Saved config in NVRAM. password cisco -sets the password to cisco show interfaces Interface status + config. enable password cisco -Set password for privilege mode
to cisco show flash IOS file and free space. enable secret cisco2 -Set encrypted password to cisco2 Cisco Discovery Protocol (CDP)
show cdp cdp info (broadcast holdtime). show cdp neighbor This shows all devices directly Configure Logical Addresses connected to the router, hold time, TCP/IP -32 bits local and remote port, ID, platform Syntax: and capability info. Router#configure terminal show cdp neighbor Adds IP / IPX addresses to above Router(config)#interface <type> <Number> detail info. Router(config-if)#ip address <addr> <mask> show cdp entry Shows info for all entries ( *) or Router(config-if)#no shut only one (NAME). [*(all) | NAME] Example: show cdp traffic Shows traffic statistics. Router(config)#interface Ethernet 0 show cdp interface Display info about the interfaces on Router(config-if)#ip address 192.168.1.100 [type number] which CDP is enabled 255.255.255.0 cdp run Enables CDP (global configuration) Router(config-if)#no shutdown cdp enable Enables CDP for an interface IPX (only configure network ID, MAC is used for host ID) –80 bits (interface configuration mode) Syntax: Specifies CDP updates frequency. cdp timer seconds Router#configure terminal Specifies the hold time to be sent in cdp holdtime seconds Router(config)#ipx routing the CDP update packets. Router(config)#interface <type> <Number> TCP/IP Router(config-if)#ipx network <#> encapsulation no ip routing Disables IP routing. <type> show ip route View IP routing table. Router(config-if)#no shutdown show ip interface IP interface info (IP access lists) Example: debug ip rip Shows routing updates as they are Router(config)#ipx routing received and sent. Router(config)#interface Ethernet 0 debug igrp events Shows a summary of the IGRP Router(config-if)#ipx network 2aa encap arpa routing info that is running on the Router(config-if)#no shutdown network. Subinterfaces (For IP or IPX) debug igrp Show message requests from Syntax: transactions neighbor routers asking for Router(config)#int <type> <#.subinterface #> updates and the broadcasts sent to Examples: them. IP IPX/SPX Router#configure terminal ipx routing Enables IPX and (enables RIP Router(config)#interface serial 0.1 routing automatically). Router(config-subif)#ip address 192.168.1.1 ipx maximum-paths <1-512> IPX load balancing. (default 1) 255.255.255.0 show ipx route Views IPX routing tables. IPX show ipx interface IPX interface info (IPX access lists) Router(config)#int ethernet0.1 show ipx servers Lists the IPX servers discovered Router(config-subif)#ipx network 1 encap snap through SAP. Router(config-subif)#int ethernet0.2 show ipx traffic View info about the number and Router(config-subif)#ipx network 2 encap sap type of IPX packets transmitted and received.
- 2 -
Configure DCE Serial Interface
PPP Point-to-Point Protocol
Point-to-Point protocol is a Data Link layer protocol that can be 1. Prompt is Router> used over asynchronous serial (dial-up) and synchronous
serial (ISDN) media and that uses the LCP (Link Control Protocol) enable Enters privileged mode. to build and maintain data-link connections. The basic purpose of 2. Prompt changes to Router# PPP is to transport layer-3 packets over a Data Link layer point-
show controllers to-point link. PPP consists of two main components, LCP (Link Tells you information about the serial 1 Control Protocol - used to establish, configure, and test the physical interface itself, it also gives connection) and NCP (Network Control Protocol - configures you the cable type and whether it is many different layer protocols). a DTE or DCE interface. configure terminal Enter Global Configuration mode. NCP - A PPP protocol for negotiating OSI Layer 3 (the network 3. Changes prompt to Router(config)# layer) parameters.
interface serial 1 Enter interface configuration mode. HDLC -A method for encapsulating datagrams over serial links. 4. Changes prompt to Router(config-if)# clock rate 64000 Changes clock rate to 64000 bits LCP -A protocol that establishes, configures, and tests data link per second. connections used by the PPP Link Control Protocol offers PPP encapsulation different options, including the following: bandwidth 56 Bandwidth in Kilobits. Authentication - options includes PAP and CHAP no shutdown Brings up the interface. Compression -Data compression increases the throughput on a Ctrl+Z Exits Global Configuration mode. network link, by reducing the amount of data that must be transmitted. 5. Prompt changes to Router# Error Detection -Quality and Magic numbers are used by PPP to show interface s1 Shows interface status and ensure a reliable, loop-free data link. configuration. Multilink -Supported in IOS 11.1 and later, multilink is supported on PPP links between Cisco routers. This splits the load for PPP FRAME RELAY over two or more parallel circuits and is called a bundle.
Viewing Configurations PPP Session Establishment show frame-relay pvc Lists all PVCs and DLCIs Type, Link-establishment phase -LCP packets are sent by each PPP [type number [dlci]] number, & DLCI optional. device to configure and test the link. The LCP packets contain a show interface serial 0 View DLCI and LMI info. field called the Configuration Option that allows each device to show frame-relay map Display the current Frame Relay see the size of the data, compression, and authentication. If no map entries. Configuration Options are set, then the default config is used. Authentication -If configured, either CHAP or PAP can be used show frame-relay lmi View LMI statistics. to authenticate a link. Authentication only takes place before Enabling Frame Relay Network layer protocol information is read. encapsulation frame-relay <type> Network layer protocol phase -PPP uses the Network Control Enables Frame
Protocol to allow multiple Network layer protocols to be Relay encapsulated and sent over a PPP data link. keepalive <seconds> Defines the keepalive interval, must be less than the switch default 10 sec Configuring PPP Frame Relay Encapsulation Types Router3(config)#int s0 cisco Default Router3(config-if)#encapsulation ppp ietf Router3(config-if)#exit Used for connecting to non-Router3(config)#username Router2 password cisco Cisco equipment
After you set the encapsulation to PPP, you have to exit to Specifying LMI Type global configuration mode to set the username and password. frame-relay lmi-type <type> Specifies LMI type The username is the hostname of the remote host connecting via PPP on the serial line; the password and encapsulation type must LMI Types be the same for both routers. cisco LMI defined by the Gang of Four (default).
Setting PPP Authentication ANSI standard T1.617 Annex D provides for ansi 976 virtual circuit addresses and uses DLCI 0 PAP-less secure of the two (sends passwords as plain text) and as the management circuit. CHAP -uses a three-way handshake to force remote hosts to identify themselves after the link establishment phase is complete. ITU-T Q.933 Annex A, similar to ANSI T1.617 The local router sends a challenge request to the remote device q933a Annex D, uses DLCI 0 as a management and the remote device sends a value calculated using a one-way circuit. hash function called MD5 (encryption). -LMI is a standard signaling mechanism between CPE (usually a Router3(config)# int s0 router) and the Frame Relay connection. It provides the CPE with Router3(config-if)#ppp authentication chap pap a local DLCI number and gives that DLCI number network-wide or This tells the router to first use CHAP and then go to PAP if local significance. CHAP isn't available. -IOS 11.2 and up, supports LMI autosense, which enables the interface to automatically determine the LMI type.
- 3 -
ensure that control and signaling information flows and is
received properly. Command Description show interface serial 0 Shows encapsulation, open LCPs ISDN Protocol Series and more. Protocol debug ppp View authentication process. Description Examples Series authentication
Telephone and network E.163 - Telephone E ppp chap hostname Specifies chap hostname. standards. numbering router2 E.164- ISDN addressing Specifies chap password. ppp chap password cisco Methods, terminology, I.100 - Terminology, I concepts, and interfaces. structure, + concepts
I.300 - Networking Setting Banners recommendations Syntax: Signaling and switching Q.921 - Data Link layer Q Router(config)#banner ? standards LAPD procedures LINE c banner-text c, where 'c' is a Q.931 - Network layer delimiting character functions exec Set EXEC process creation banner
incoming Set incoming terminal line banner login Set login banner ISDN Functions and Devices motd Set Message of the Day banner Terminal Adapter (TA) --- A converter device that allows non-Example: ISDN devices to operate on an ISDN network. Router(config)#banner motd # Terminal Equipment 1(TE1) --- A device that supports ISDN Enter TEXT message. End with the character '#'. standards and that can be connected directly to an ISDN network THIS IS THE MESSAGE OF THE DAY BANNER connection. For example, ISDN telephones, personal computers, # or videophones could function as TE1s. Disable Banner: Terminal Equipment 2(TE2) --- A non-ISDN device, such as an Router#conf t analog phone or modem, which requires a TA in order to connect Router(config)#no banner motd to an ISDN network. Network Termination 1 (NT1) --- A small connection box that is Interface Descriptions attached to ISDN BRI lines. This device terminates the An interface description is limited to 80 characters and typically connection from the Central Office (CO). describes the function of the interface. Network Termination 2 (NT2) --- A device that provides R2(config)#interface serial 1 switching services for the internal network. This type of interface R2(config-if)#description Link to East Office is typically used with PRI lines, when they need to be divided for several functions. For example, some channels may be used for
WAN data communications and others for the telephone system ISDN Integrated Services Digital Network and/or video tele-conferencing. ISDN is a circuit-switched service provided by Telco providers to allow voice, data, and video and audio transmissions over existing digital telephone lines. ISDN is often used as a low cost alternative to Frame Relay or T1 connections, while still offering a higher connection speed than an analog modem. ISDN service is offered at two levels: Basic Rate Interface (BRI) and Primary
Rate Interface (PRI). BRI is typically used in small offices or for home connection, and PRI is used in larger environments because it provides higher bandwidth.
ISDN Bandwidth
BRI -3 channels: 2 B-channels at 64 Kbps and 1 D-channel at 16
Kbps for a maximum data throughput of 128Kbps.
PRI -23 B-channels and 1 64Kbps D-channel for bit rate of up to
1.544Mbps. European ISDN PRI -30 64Kbps B-channels and 1 64Kbps D-
channel for a total interface rate of 2.048 Mbps. ISDN Reference Points
In both ISDN BRI and PRI, a single D-channel is used for R -- The R-interface is the wire or circuit that connects the TE2 to signaling information, and the B-channels are used to carry the the TA. data. Because the control communications are conducted on a S -- The S-interface is a four-wire cable from TE1 or TA to the channel that is separate from the data transfer, ISDN is said to be NT1 or NT2, which is a two-wire termination point. out of band signaling. T -- The point between the NT1 and NT2, which is also the T- interface. This four-wire cable is used to divide the normal
telephone company two-wire cable into four-wire, which then LAPD allows the connection of up to eight ISDN devices. Layer 2 of the ISDN signaling protocol is Link Access S/T -- When NT2 is not used on a connection that uses NT1, the Procedure, D channel, it is used by ISDN to pass the signaling connection from the router or TA to the NT1 connection is messages between the router and the ISDN switch at the local typically called S/T. This is essentially the combination of the S CO. LAPD is similar to HDLC and LAPB. As the expansion of the and T reference points. LAPD acronym indicates, it is used across the D-channel to
- 4 -
U -- The U-interface is the actual two-wire cable, also called the both. Each router has the ability to dial the other. The CORP local loop, which connects the CPE to the Telco provider. router is located at the corporate network, which has other
connections and uses IGRP to transfer routing tables on the
corporate network. However, IGRP is not desired on the ISDN Service Profile Identifiers (SPIDs) connection, so the CORP router has an access list specifically Many Telco providers utilize ISDN switches, which require SPIDs denying IGRP on the ISDN link. Both routers permit all IP traffic for dial-in access. An ISDN device can access each ISDN on the ISDN link and all IP traffic will be considered interesting or channel via its SPID number. You can configure the router to worth activating the ISDN link for. Multilink is enabled on both utilize a single or multiple SPIDs when making a connection to the routers, and they will dial their additional lines when there is 50% ISDN provider. The ISDN provider must assign the SPID numbers (load-threshold uses a number between 1 and 255, with 255 for each channel, which is usually an 8 to 14-digit number. being 100%) or more utilization on the first channel. The link will be terminated if there is no interesting traffic for 600 seconds (10 Settings SPIDS minutes). The IP routes are configured such that all traffic The following commands show an ISDN BRI connection (two destined from the corporate network to 192.168.24.0 will be sent SPIDS for 2 B-channels): to the REMOTE router. Since the REMOTE router is a remote R3(config)#isdn switch-type dms-100 branch with no other connections, all traffic that is not specifically R3(config)#interface bri 0 destined for 192.168.24.0 will be sent to the CORP router. Note R3(config-if)#isdn spid1 0835866201 8358662 that each router has its dialer mapped to the IP address of the R3(config-if)#isdn spid2 0835866401 8358664 other router. If you want your Cisco router to answer incoming calls over your Remote Network ISDN line, you can configure an ISDN subaddress. When multiple Router Configuration: devices are attached to an ISDN BRI, you can ensure that only a Name: REMOTE single device answers an incoming call by verifying the number or E0 IP address:192.168.24.1 subaddress in the incoming call against the device's configured Local Network:192.168.24.0 number or subaddress or both. BRI 0 IP address:192.168.49.2 REMOTE(config)#hostname corp password 123pass332 R3(config-if)#isdn answer 52069145241010 5551212 REMOTE(config)#isdn switch-type dms-100 REMOTE(config)#interface bri 0 DDR Dial on Demand Routing REMOTE(config-if)#encapsulation ppp REMOTE(config-if)#ppp authentication chap Dial-on-demand routing (DDR), is used to allow two or more REMOTE(config-if)#spid1 5208881111 5270936 Cisco routers to dial an ISDN dial-up connection on an as- REMOTE(config-if)#spid2 5208881212 5270956 needed basis. DDR is only used for low-volume, periodic network REMOTE(config-if)#ip address 192.168.49.2 255.255.255.0 connections using either a PSTN or ISDN. This was designed to REMOTE(config-if)#dialer idle-timeout 600 reduce WAN cost if you have to pay on a per-minute or per- REMOTE(config-if)#dialer map ip 192.168.49.1 name corp packet basis. DDR configuration commands define host and 7045551212 REMOTE(config-if)#dialer load-threshold 125 either ISDN connection information. An access list and DDR dialer REMOTE(config-if)#ppp multilink group define what kind of traffic should initiate an ISDN call. You REMOTE(config-if)#dialer-group 1 can configure multiple access lists to look for different types of REMOTE(config-if)#exit interesting traffic. Interesting traffic is traffic that (when it arrives REMOTE(config)#dialer-list 1 protocol ip permit at the router) triggers the router to initiate the ISDN connection REMOTE(config)#ip route 0.0.0.0 0.0.0.0 192.168.49.1 REMOTE(config)#ip route 192.168.49.0 255.255.255.0 192.168.49.1 Steps of How DDR Works 1.) Route to the destination network is determined. Corporate network 2.) Interesting packet dictates a DDR call.
3.) Dialer information is looked up. Router Configuration: 4.) Traffic is transmitted. Name: CORP BRI 1 IP address:192.168.49.1 5.) Call is terminated when no more traffic is being transmitted
over a link and the idle-timeout period ends. CORP(config)#hostname remote password 123pass332 CORP(config)#isdn switch-type dms-100 CORP(config)#interface bri 1 Configuring a DDR Connection CORP(config-if)#encapsulation ppp R_3(config-if)#dial wait-for-carrier time 15 CORP(config-if)#ppp authentication chap R_3(config-if)#dialer idle-timeout 300 CORP(config-if)#spid1 7047773333 5265933 R_3(config-if)#dialer load-threshold 125 either CORP(config-if)#spid2 7047774444 5265944 R_3(config-if)#dialer map ip 192.168.52.1 name CORP(config-if)#ip address 192.168.49.1 255.255.255.0 CORP(config-if)#dialer idle-timeout 600 CORP speed 56 5205551212 CORP(config-if)#dialer map ip 192.168.49.2 name remote 5205551212 Specifying Interesting Traffic (allows IP, but not IGRP) CORP(config-if)#dialer load-threshold 125 either R_3(config)#dialer-list 1 protocol ip list 110 CORP(config-if)#ppp multilink CORP(config-if)#dialer-group 1 R_3(config)#access-list 110 deny igrp any any CORP(config-if)#exit R_3(config)#access-list 110 permit ip any any CORP(config)#ip route 192.168.24.0 255.255.255.0 R_3(config)#int bri0 192.168.49.2 R_3(config-if)#dialer-group 1 CORP(config)#dialer-list 1 protocol ip list 110 CORP(config)#access-list 110 deny igrp any any Sample ISDN Configuration CORP(config)#access-list 110 permit ip any any The routers are both using PPP encapsulation and CHAP authentication. The username has been set for the opposite router in each configuration and the password is the same on
- 5 -
ISDN Commands Standard IPX Access List
Syntax: Command Description access-list 800-899 [permit|deny] [source net/ clear interface Disconnects all current connections node address] [dest network/ dest address] show dialer Shows the current dialer status, Example: including the time that the link has been Router(config)#access-list 800 deny 500 200 active Router(config)#access-list 800 permit -1 -1 debug dialer Displays the configuration and Apply the Access List: operation of the dialer Router(config)#int e0 debug q921 Used to see layer-2 information only Router(config-if)#ipx access-group 800 in
debug q931 Show the call setup and teardown
show ip route Extended IP Access List Show all routes the router knows about
Syntax: show isdn active Displays the status of the ISDN access-list 100-199[permit|deny][protocol][src connection while the call is in progress IP addr][src wildcard mask][dest IP addr][dest show isdn status Gives status information for ISDN IP addr][dest wildcardmask][operator][port][log] connections Example: show interface bri 0 Shows you the configuration statistics Router(config)#access-list 100 deny tcp host and speed of your ISDN BRI interface 192.168.1.10 host 192.168.2.2 eq www Router(config)#access-list 100 permit ip any any
Router(config)#int e0 Supported ISDN Switch Types Router(config-if)#ip access-group 100 in Identifier Description This access list will block 192.168.1.10 from accessing TCP port www (http[80]) on host 192.168.2.2. The host is a short cut to use basic-nil AT&T basic rate switches the 0.0.0.0 wildcard mask. Since extended IP access lists use destination addresses, the list should be applied as close to the basic-5ess AT&T 5ESS basic rate switches source as possible to reduce unnecessary traffic on the network. basic-dms100 Nortel DMS-100 basic rate switches
Extended IPX Access list basic-4ess AT&T 4ESS primary rate switches Syntax: primary-5ess AT&T 5ESS primary rate switches access-list 900-999 [permit|deny] [protocol]
[source network/node address] [socket] [dest primary-dms100 Nortel DMS-100 primary rate switches network/node addr] [socket]
Example: vn2 French VN2 ISDN switches R_1(config)#access-list 900 deny -1 500 0 200 0
R_1(config)#access-list 900 permit -1 -1 0 -1 0 vn3 French VN3 ISDN switches R_1(config)#int e0 ntt R_1(config-if)#ipx access-group 900 in Japanese NTT ISDN switches
Extended IPX access lists allow you to filter based on source basic-1tr6 German 1TR6 ISDN switches and destination network or node address, IPX protocol type (a -1 specifies all IPX protocols), and IPX socket #. Access Lists IPX SAP Filters Access List Type Number Syntax: access-list 1000-1099 [permit|deny] [src network Standard IP Access Lists 1-99 / node addr] [service-type]
Example: Extended IP Access Lists 100-199 Router(config)#access-list 1000 200 0 Standard IPX Access Lists 800-899 Router(config)#access-list 1000 permit -1 0
Extended IPX Access Lists 900-999 To apply a SAP filter to an int. for inbound filtering use the cmd: Router(config)#int e0 IPX SAP Filters 1000-1099 Router(config-if)#ipx input-sap-filter [list#] Or for outbound filtering use the cmd: Standard IP Access List Router(config)#int e0 Syntax: Router(config-if)#ipx output-sap-filter [list#] access-list 1-99 [permit|deny] [source address] This would block all advertisements from network 200 from [source wildcard mask] being passed to other routers on the internetwork. Again you can Example: use the command show access-list to see the access lists. Router(config)#access-list 1 deny 192.168.1.0 0.0.0.255 Controlling VTY Access Router(config)#access-list 1 permit 0.0.0.0 Example: 255.255.255.255 (same as any) R_2(config)#access-list 15 permit 192.168.1.71 Apply the Access List: R_2(config)#line vty 0 4 Router(config)#int e0 R_2(config-line)#access-class 15 in Router(config-if)#ip access-group 1 out This will stop all hosts except 192.168.1.71 from telneting into the router. This is accomplished by only allowing one host and
- 6 -
then not permitting any other hosts since there is an implicit deny Do at this layer
at the end of all access lists. ; Design for high reliability (FDDI, Fast Ethernet with redundant links, or ATM).
; Design for speed and low latency. Access List Commands ; Use routing protocols with low convergence times. Command Description show access-lists Displays all access lists and their Distribution Layer parameters configured on the router. Also called workgroup layer, is the communication point between This command doesn't show which access and core layers. Primary function, routing, filtering, WAN interface the list is configured on. access, and determine how packets can access the Core layer if show access-list Shows only the parameters for the necessary. Determine fastest/best path and send request to Core [list#] access list specified. This command layer. Core layer will then quickly transport the request to the does not show you the interface the list correct service. Place to implement network policies. is configured on. Network Policies
show ip access-list ; Access lists, packet filtering, queuing Shows only the IP access lists ; Security and network policies such as address translation and configured on the router. firewalling. show ipx access-list Shows only the IPX access lists ; Redistribution between routing protocols including static configured on the router. routing. show ip interface Shows which interfaces have IP access ; Routing between VLANs and other workgroup support lists on them. functions. show ipx interface Shows which interfaces have IPX ; Definition of broadcast and multicast domains. access lists on them. show running-config Shows the access lists and which Access Layer interfaces have access lists set. - Controls user and workgroup access to internetwork resources. any Keyword used to represent all hosts or - Also called desktop layer. networks, replaces 0.0.0.0 - The resources most user need will be available locally. 255.255.255.255 in access list.
host - Distribution layer handles traffic for remote services. Keyword that specifies that an address
should have a wildcard mask of - Continued access control and policies. 0.0.0.0.(i.e. will match only 1 host) - Creation of separate collision domains (segmentation) clear access-list Clears extended access lists counter of - Workgroup connectivity in Distribution layer counter [list#] the number of matches per line of the - Technologies such as DDR and Ethernet switching are seen in access list. the Access layer -1 Applies to any IPX network or any - Static routing is here. protocol when used in extended IPX access lists.
0 Configuring IPX Encapsulation Used for all sockets in extended IPX
access lists. To enable IPX routing on interface Ethernet 0 using arpa
ip access-group (Ethernet_II) encapsulation use the command: Applies an IP access list to an Router3(config)#ipx routing interface. Router3(config)#interface Ethernet 0 ipx access-group Applies an IPX access list to an Router3(config-if)#ipx network 2 encap arpa interface. ipx input-sap-filter Applies an inbound IPX SAP filter to an You can assign multiple networks with different encapsulation interface. types by using the commands: ipx output-sap-filter Applies an outbound IPX SAP filter to an interface. R3(config)#int e0.1
R3(config-subif)#ipx network 1 encapsulation sap R3(config-subif)#int e0.2 Cisco Hierarchical Model R3(config-subif)#ipx net 2 encap novell-ether There are three layers to the Cisco hierarchical model 1. The core (Backbone) layer provides optimal transport between Novell Frame Encapsulation sites. NetWare Frame Type Cisco Keyword 2. The distribution layer provides policy-based connectivity. 3. The local-access layer provides workgroup/user access to the network. novell-ether (default) Ethernet_802.3
Core Layer Sap Ethernet_802.2 Responsible for transporting large amounts of traffic reliably and arpa Ethernet_II quickly. Only purpose is to switch traffic as fast as possible (speed and latency are factors). Failure at the Core layer can snap Ethernet_SNAP affect every user.
Design specifications: sap (default) Don't Do at this layer Token-Ring
o Don't use access lists, packet filtering, or VLAN Routing. snap Token-Ring_snap o Don't support workgroup access here.
o Don't expand (more devices) upgrade instead (faster devices)
- 7 -
Specifies a Any value from 2102 to 210F tells the 02 to default boot router to use the boot commands specified snap (default) 0F Fddi_snap filename in NVRAM. sap Fddi_802.2
novell-fddi Fddi_raw Name Resolution
Creating a Host Table
Syntax: Routing Protocols’ Administrative Distances ip host name <tcp port #> <ip address> Route Source Default Distance
The example turns off domain lookups and doesn’t specify a port Connected interface 0 number because port 23 ( telnet ) is used by default. Static Route 1 Example: Router_2#configure terminal EIGRP 90 Router_2(config)#no ip domain-lookup
Router_2(config)#ip host router_3 192.168.1.6 IGRP 100
OSPF 110 Using DNS lookups
Router_2(config)#ip domain-lookup RIP 120
Router_2(config)#ip name server 192.168.1.5 External EIGRP 170 Router_2(config)#ip domain-name foo.bar
Unknown 255
Layer 2 Switching
Layer 2 switching is hardware based, and tends to be faster Changing the Configuration Register than routers, because they don't look at the logical addressing To change the configuration register while running the system (Network layer headers), they instead use the hardware address software, follow these steps: defined at the Data Link (MAC) layer to decide whether to forward Step 1 - At the privileged EXEC prompt (Router#), enter the or discard the frame. Switches use Application Specific Integrated configure terminal command to enter global configuration Circuits (ASIC) to build and maintain filter tables. mode. Layer two switching is so efficient because it doesn't modify the Router#configure terminal data packet only the frame encapsulating the packet also causes Router(config)# it to be less error prone Step 2 - Set the contents of the configuration register by entering Three functions of Layer 2 Switching the config-register value configuration command, where 1.) Address learning - layer 2 switches retain, in their filter tables, value is a hexadecimal number preceded by 0x as in the the source hardware address and port interface it was received following example: on. Router(config)# config-register 0x2142 2.) Forward/Filter decisions - when a frame is received, the switch looks at the destination hardware address and finds the Step 3 - Press Ctrl-Z to exit configuration mode. interface it is on, in the filter table. If the address is unknown, the frame is broadcast on all interfaces except the one it was Step 4 - Display the current configuration register value, which received on. will be used at the next system reload, by entering the show 3.) Loop Avoidance - if multiple connections between switches version command. exist for redundancy, network loops can occur. Spanning Tree The value is displayed on the last line of the screen display, as Protocol is used to stop loops and allows redundancy. in the following example: Spanning Tree Protocol (STP) Configuration register is 0x2102 (will be 0x2142 at next reload) IEEE 802.1d. Main task is to stop network loops from occurring on layer 2 devices. It monitors the network to find all the links and Step 5 - Restart the router. Changes to the configuration register shuts down redundant ones to prevent loops. take effect only when the system reloads. It first elects a root bridge (only 1 per network), root bridge ports are called designated ports, which operate in what are called forwarding-state ports. Forwarding-state ports can send and receive traffic. Other switches in your network are non-root Boot bridges. Meaning Used For: Field The non-root bridges with the fastest link to the root bridge is called the root port, sends and receives traffic. To boot to ROM monitor mode, set the Ports that have the lowest cost to the root bridge are called configuration register to 2100. You must ROM monitor designated ports. The other ports on the bridge are considered 00 then manually boot the router with the b mode non-designated and will not send or receive traffic, (blocking command. The router will show a mode). rommon> prompt. Switches or bridges running STP, exchange information with To boot an IOS image stored in ROM, set what are called Bridge Protocol Data Units (BPDU) every 2 the configuration register to 2101. The Boot image seconds. BPDUs send configuration information using multicast 01 router will show the router(boot)> from ROM frames, BPDUs are also used to send the bridge ID of each device to other devices. The bridge ID is used to determine the prompt. root bridge in the network and to determine the root port. The - 8 -
Bridge ID is 8 bytes long, includes priority and MAC address. group of connected switches. Frame tagging assigns a unique Priority of IEEE STP version is 32,768. user-defined ID to each frame. Also called VLAN ID or color.
STP Port States Types of Links
Access Links - are only part of 1 VLAN are referred to as the Blocking - doesn't forward any frames, listens to BPDUs. Ports native VLAN of the port. Any device attached to an access link is default to blocking when the switch powers on. Used to prevent unaware of a VLAN membership. This device just assumes that network loops. If a blocked port is to become the designated port, it is part of broadcast domain, without any understanding of the it will first enter listening state.
physical network. Switches remove any VLAN information Listening - listens to BPDUs to ensure no loops occur on the
before it is sent to an access link device. Access link devices network before passing data frames.
can't communicate with any devices outside their VLAN without a Learning - learns MAC addresses and builds filter table, doesn't
router or layer 3 device. forward frames.
Trunk Links - can carry multiple VLANs and are used to Forwarding - sends and receives all data on bridge ports. connect switches to other switches, to routers, or servers. Trunk links are only supported on Fast or Gigabit Ethernet (100 or LAN Switching Modes 1000Mbps). Cisco switches support two ways to identify which Store and Forward - the entire frame is copied into its buffer and VLAN a frame belongs to: ISL and 802.1q. Trunk links have a computes the Cyclic Redundancy Check (CRC). Since it copies native or default VLAN that is used if the trunk link fails. Trunked the entire frame, latency varies with frame length. If the frame links carry the traffic of multiple VLANs from 1 to 1005 at a time. has a CRC error, is too short (<64 bytes), or is too long (>1518 Trunking allows you to make a single port a part of multiple bytes) it is discarded. If no error, the destination address (MAC) VLANs, so you can be in more than one broadcast domain at a is looked up in the filter table and is sent to the appropriate time. When connecting switches together, trunk links can carry interface. Is the default state for 5000 series switches some or all VLAN information across the link. If you don't trunk Cut Through - fastest switching mode as only the destination the links then the switch will only carry VLAN 1 information address is copied. It will then look up the address in its filter table across the link. Cisco switches use the Dynamic Trunking and send the frame to the appropriate interface. Protocol (DTP) to manage trunks. DTP is a PPP that was Fragment Free - modified form of Cut Through switching. The created to send trunk information across 802.1q trunks. switch waits for the first 64 bytes to pass before forwarding the frame. If the packet has an error, it usually occurs in the first 64 Trunk types bytes of the frame. Default mode for 1900 switches. Inter-Switch Link - ISL is a Cisco proprietary protocol for interconnecting multiple switches and maintaining VLAN Virtual Local Area Networks information as traffic goes between switches. ISL is similar to VLANs are formed to group related users together regardless 802.10 as they both multiplex bridge groups over a high-speed of the physical connections of their hosts to the network. The backbone (ISL runs only on Fast Ethernet). ISL is an external users can be spread across a campus network or even across tagging process (original frame is encapsulated in a 26 byte ISL geographically isolated locations. Users can be organized into header with a 4 byte FCS at the end, 2 bytes are for the VLAN separate VLANs according to their department, location, function, ID). Since the frame is encapsulated, only devices running ISL application, or protocol used. The goal with VLANs is to group can read it. If you need a protocol for other than Cisco Switches users into separate VLANs so their traffic will stay within the use 802.1q. ISL frames can be up to 1522 bytes long. VLAN. IEEE 802.1q - Created by the IEEE as a standard method of Benefits of VLANs frame tagging. It actually inserts a field into the frame to identify
the VLAN. If you are trunking between a Cisco switch and a non- Broadcast Control - VLANs provide logical collision and Cisco switch, you will need to use 802.1q for the trunk to work. broadcast domains that confine broadcast and multicast traffic to Local Area Network Emulation (LANE) - LANE is a service the bridging domain that provides interoperability between ATM-based workstations Security - If a router is not used, no user outside the VLAN can and devices connected to existing LAN technology. LANE uses communicate with users or access resources within a MAC encapsulation because this approach supports the largest VLAN. Restrictions can also be placed on hardware addresses, number of existing OSI layer 3 protocols. The end result is that protocols, and applications all devices attached to an emulated LAN appear to be on one Performance - You can isolate users that require high bridged segment. In ATM LANE environments, the ATM switch performance networks for bandwidth intensive projects, VLANs handles traffic that belongs to the same emulated LAN and can isolate them from the rest of the network. routers handle inter LANE traffic. Network Management - Software on the switch allows you to IEEE 802.10 - Defines a method for securing bridging of data reconfigure the logical layout of the LAN without having to across a shared MAN backbone. The coloring (VLAN ID) of change cable connections. traffic across the FDDI backbone is achieved by inserting a 16- byte header between the source MAC and the Link Service VLAN Memberships Access Point (LSAP) of frames leaving a switch. This header Static VLANs - are the typical method of creating VLANs and contains the 4-byte VLAN ID or "color". The receiving switch are the most secure. The switch port you assign a VLAN removes the header and forwards the frame to interfaces that association to always maintains that association until an match the VLAN color. administrator changes the port assignment. Dynamic VLANs - determine a node's VLAN assignment Inter VLAN Communications automatically. Using intelligent management software, you can To communicate between VLANs you need to have a router enable MAC addresses, protocols, of even applications to create with an interface for each VLAN or a router that supports ISL dynamic VLANs routing. The lowest Cisco router that supports ISL routing is the 2600 series. If you're using a router with one interface and ISL Frame Tagging the interface should be at least 100Mbps (Fast Ethernet). Switches use frame tagging to keep track of users and frames as they travel the switch fabric and VLANs. Switch fabric is a
- 9 -
VLAN Trunking Protocol CDP holdtime 180 seconds Developed by Cisco, it is the industry's first protocol CDP Commands are listed on page 2. implementation specifically designed for large VLAN deployments. CDP Neighbor Information includes VTP enhances VLAN deployment by providing the following: ; Neighbor's device ID o Integration of ISL, 802.10, and ATM LAN-based VLANs. ; Local port type and number o Auto-intelligence within the switches for configuring VLANs. ; Holdtime value (in seconds) o Configuration consistency across the network. ; Neighbor's hardware platform o An auto-mapping scheme for going across mixed-media ; Neighbor's network device capability backbones.
; Neighbor's remote port type and number o Accurate tracking and monitoring of VLANs.
o Dynamic reporting of added VLANs across the network.
CDP Neighbor Detail Information includes o Plug-and-Play setup and configuration when adding new VLANs. Additional detail is shown about neighbors, including network To allow VTP to manage your VLANs across the network, you address, enabled protocols, and software version. must first create a VTP server. All servers that need to share VLAN information must use the same domain name, and a High-Level Data Link Control switch can only be in one domain at a time. If all your HDLC is the default encapsulation used by Cisco routers over switches are in the same VLAN then you don't need to use VTP. synchronous serial links. HDLC is a bit-oriented ISO standard VTP information is sent via a trunk port. Switches advertise VTP Data Link layer protocol. It specifies a method to encapsulate management domain information, as well as configuration data over synchronous serial links using frame characters and and all known VLANs with any specific revision number checksums. HDLC is a point-to-point protocol used on leased parameters. lines between Cisco devices. If you need to establish a link between a Cisco device and a non-Cisco device, you must use Modes of VTP PPP encapsulation instead of HDLC. No authentication can be Server - default mode for all catalyst switches. You need at used with HDLC. The reason each vendor has a proprietary least one to propagate VLAN data throughout the domain. The encapsulation of HDLC is that they each have a different way for switch must be in server mode to create, add, or delete VLANs in the HDLC protocol to communicate with the Network layer a VTP domain. Advertisements are sent every 5 minutes or protocols, and the ISO standard doesn't allow for multiple whenever there is a change. protocols on a single link. Client - receives information from VTP servers and sends and receives updates, but can't make any changes. To add a port on Ethernet Frames a switch to a VLAN, first make it a client to update the database, Used at the Data Link layer to encapsulate packets handed down then change it to a server to make the changes and have them from the Network layer for transmission on a medium. advertised. There are four types Transparent - doesn't participate in the VTP domain, but will 1.) Ethernet_II frames have a type field in their frame still forward VTP advertisements through the configured trunk links. Can add and create VLANs as it doesn't share its 2.) IEEE 802.3 frames have a length field in their frame, database with any other switch, but the VLANs will only be considered locally significant. 3.) IEEE 802.2 802.3 frame can't contain information about the upper layer protocols (Network Layer), so it is combined with the VTP Pruning 802.2 (LLC) frame to provide this function. It is disabled by default. Pruning is configuring VTP to reduce the amount of broadcasts, multicasts, and other unicast packets 4.) 802.2 SNAP (Subnetwork Architecture Protocol) to help conserve bandwidth. When you enable VTP pruning on a ; SNAP was created because not all protocols worked well with server, you enable it for the entire domain. VLAN 1 can never the 802.3 frame, which has no ether-type field. prune because it is an administrative VLAN. ; 802.2 frame is an 802.3 frame with the LLC info in the data field of the header (has DSAP and SSAP). Cisco Discovery Protocol (CDP) ; SNAP frame's DSAP and SSAP are always set to AA with the CDP is a media- and protocol-independent protocol that runs command field set to 3. on all Cisco-manufactured equipment including routers, bridges, ; SNAP is mostly seen with proprietary protocols such as access and communication servers, and switches. Using CDP, AppleTalk and the Cisco CDP. you can view information about all the Cisco devices directly attached to the device. In addition, CDP detects native VLAN and Setting Passwords port duplex mismatches. Setting the enable and enable secret password: CDP runs on all media that support Subnetwork Access Router(config)#enable ccna Protocol (SNAP). CDP runs over the data link layer only. Cisco Router(config)#enable secret ccna2 devices never forward CDP packets. When new CDP information is received, Cisco devices discard old information. Setting the auxiliary port password: Router(config)#line aux 0 CDP Default Configuration Router(config-line)#login Router(config-line)#password ccna Feature Default Value CDP global enable state Enabled Setting the console password: Router(config)#line con 0 CDP port enable state Enabled on all ports Router(config-line)#login CDP message interval 60 seconds Router(config-line)#password ccna
- 10 -